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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico. org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 


email the Direct Marketing Code team, 


Privacy statement 

For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting ina 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
Our privacy notice 


Qi Is the draft code clear and easy to understand? 


x Yes 
C1 No 


If no please explain why and how we could improve this: 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


Yes 
x No 


If no please explain what changes or improvements you would like to 
see? 


The code does not include a section on why this code is important to have. The lack of context makes 
it difficult for data analysts, marketing platforms, customer data platforms, and developers to 
understand the impact that processing a person's data in an unfair way can have. We fear many will be 
asking ‘so what?’ throughout this guide. 


e Search Engine Optimisation and how to be compliant 

e Information to include in your Privacy Policy and the information third 
parties should be providing to their controllers they proces upon. 

e Cross — tracking 

e ITP and handling 

e How to distinguish first and third party cookies 

e Information for controllers who are cooperating with processors, on how to 
transparently inform their customers they track using another party. 


Q3 Does the draft code cover the right issues about direct marketing? 


Yes 
x No 


If no please outline what additional areas you would like to see 
covered: 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


Yes 
x No 


If no please outline what additional areas you would like to see covered 


Companies requesting access for data rather than individuals 
- The draft code also misses ITP which is having an impact on direct marketing. 


- There is a lack of guidance around ensuring the identity of the indiviudal prior to fulfillling the 
access request 


Q5 Isit easy to find information in the draft code? 


X Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


X Yes 
Oh No 


GOOD: 


Asking for consent in cookie banner prior to tracking within a tool like Exponea 

Transparently indiciating to the customer where they can opt out 

Having a clear opt out button on the bottom of the website 

Having retention periods that are long enough not to bother a user with a cookie banner 

Being able to opt out in less than five steps 

Anonymising PII to disconnect it from the user but be able to perform analytics 

Using consents to clean your email list and have a retention period on how long you keep email 
addresses 

Responsibility is on business unless the user has clear ability to exercise their privacy rights 
(e.g by using a browser which blocks third party cookies) 

Working with a CDP that has consent centralised and can be uploaded. 

Double opt in to ensure the customer intended to opt into emails. 

Sending an initial transactional followup email after a purchase highlighting opt in to emails. 
Double opt in to ensure the customer did not make a typo and sign up someone else 

Using “list-unsubscribe” header in emails to provide one click opt-out at the top of the email / in 
UI of the email client 


PROFILING/ANALYSES: 


Clearly defining how and why customers are processed and why this benefits them, how they 
can opt out... 
Providing an option to keep email subscription, but not personalized messages 


USAGE OF HTTPS and handling of Intelligent Tracking Prevention (ITP) 


BAD: 


Guidance of tracking and handling data under ITP 


Cookie banner which disappear after scrolling 
Fake cookie banners which do not prevent cookies dropping on the backend 
Hiding third party cookies 
Cookie banners that repetitively ask for consent 
Being able to opt out in more than five steps and having to visit multiple other company pages 
Automatically tracking using services such as: 

e Advertising trackers such as Google Analytics, Customer Match 

e Facebook, Instagram pixel 

e Cross tracking 

e Web beacons 

e Without a legal basis 

Hiding tick boxes which ask for consent 
No option to opt-out on mobile device (due to screen size and bad design) 


If yes, please provide your direct marketing examples : 


Q7 Do you have any other suggestions for the direct marketing code? 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

[] Other 


Please specify the name of your organisation: 


Exponea 


If other please specify: 


O 
Vo) 


How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


Dalal)? SRZIC og 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


——————— 


Thank you for taking the time to complete the survey 


fa ge | 


